On 10/6/2013 7:52 PM, Dan Langille wrote: > I managed to get this running tonight and I'm looking for sanity checking, in > case I'm completely missing something. Thanks. > > I wish to allow incoming mail from any client with a valid certificate. My > master.cf is: > > 10.0.0.1:submission inet n - n - - smtpd > -o > smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination
You probably want to use "reject" rather than "reject_unauth_destination" to prevent outsiders from sending local mail via submission. > -o smtpd_tls_req_ccert=yes > -o smtpd_tls_auth_only=no > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem > -o > smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key > -o > relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts > -o smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination This is OK since it fulfills the intended function of preventing unauthorized relaying, but for consistency and simplicity you might want to change it to match your -o smtpd_recipient_restrictions. > -o smtpd_tls_ask_ccert=yes > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt > -o > smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access Your sender_access file has no effect right now. To restrict submission to a single sender domain, use something like: # main.cf submission_sender_restrictions = check_sender_access hash:/usr/local/etc/postfix-config/sender_access reject # master.cf 10.0.0.1:submission ... ... -o smtpd_sender_restrictions=$submission_sender_restrictions Also, remember that any other smtpd_*_restrictions settings you have in main.cf will be inherited by your master.cf submission service. Some people find it useful to explicitly set unused restrictions empty to prevent surprises. -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_data_restrictions= -- Noel Jones > > > I have some DNS issues (some of these hosts are remote and do not have public > DNS entries) > > # cat /usr/local/etc/postfix-config/sender_access > cliff.example.org OK > > The fingerprint for each each incoming client is listed here: > > # cat /usr/local/etc/postfix-config/main/relay_clientcerts > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org > > I have this working. It seems to do what I want. > > For what it's worth: This is just for my use, no other users. >